Perhaps one of the most difficult things for an information technology (IT) department to understand is the concept of segregation of duties and when it may be required. It becomes even more difficult in the context of managing a complete application system, which includes the application as well as the database back end.
An IT department has to be able to see the standard it is expected to live up to and get a sense of the big picture. While there is a lot of written guidance to this effect, it is difficult to find a source that will commit to laying out an example.
After performing its own search, the Corus Entertainment Inc. IT department sought another perspective regarding segregation of duties for the in-scope applications. In response, the roles vs. activities matrix shown in figure 1 was created.
The first thing to be said about the matrix is, of course, that it is not "one size fits all." It represents a reflection of goals for the organization and shows a specific granularity. The purpose of this matrix was to provide a common understanding and a place to start negotiations.
When using this as an internal auditor, it may not always be possible to separate some of these roles, but once a conflict is identified, the IT department knows that it must justify the appropriateness of what appears to be a conflict, segregate the duties or implement some form of mitigation.
No matter what the outcome is of such an exercise, members of the IT department will understand how their work is being evaluated, and they will be better prepared for comments. Segregation of duties sparked the liveliest exchanges of Corus Entertainment's internal audit. Since findings may change how people perform their day-to-day functions, they should receive clear feedback.
Note: Cells marked with an "X" indicate roles and tasks that are incompatible with each other, and where segregation of duties is advised.
is manager, IT standards and compliance, at Corus Entertainment Inc. in Toronto, Ontario, Canada.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.